Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20160524233429.36792B2E006@smtpvbsrv1.mitre.org>
Date: Tue, 24 May 2016 19:34:29 -0400 (EDT)
From: cve-assign@...re.org
To: misc@...b.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: /tmp usage race condition in onionshare

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> So onionshare use /tmp/onionshare to create a temporary directory
> $HS that is then used for the creation of a tor hidden service, as
> HiddenServiceDir configuration.  Then, the tor daemon create 2 files
> in $HS
> 
> But onionshare doesn't verify the owner or the exact permission of
> /tmp/onionshare.  So if a attacker pre-create a directory
> /tmp/onionshare with 777 permissions and him as a owner, he can use
> a race condition to inject his own files in the share.
> 
> I suspect that using setgid on /tmp/onionshare might also give
> interesting potential attacks.  For example, if umask is not properly
> set, the attacker could steal the private key and hostname

As far as we can tell, there is only one primary problem: the product
accepts the existence of a pre-created /tmp/onionshare for which
ownership and all permission bits are controlled by the attacker.
(Control over the setgid bit isn't really an independent problem with
a realistically independent solution.)

Use CVE-2016-5026.


> I am also not 100% sure that
> https://github.com/micahflee/onionshare/blob/master/onionshare/hs.py#L217
> and
> https://github.com/micahflee/onionshare/blob/master/onionshare/hs.py#L116
> are safe if a attacker control the directory that will be used for
> shutil.rmtree.

Nobody has commented on this today, so we are not going to assign a
separate CVE ID related to an shutil.rmtree impact unless there is
further research by someone.

The code has "self.cleanup_filenames.append(self.hidserv_dir)" and the
product should have been designed so that self.hidserv_dir is never
something controlled by an arbitrary unauthorized local user. Possibly
you are envisioning a threat model in which the attacker controls the
process running tor but not the process running onionshare. In that
situation, it might be important to understand whether there's any
symlink following in shutil.rmtree, because this might allow the tor
process to trigger unlink actions with the privileges of the
onionshare process.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXRORnAAoJEHb/MwWLVhi2AjAP/213PqKqOX4HRjUx4vU2Y4gd
PUqAk17+LR9BgsIbWJTCl1kcXGSlpHHqsgq/8W3OP+Aumsr6iLy5ksZmw7D9xgyW
wYOslFWUA6z9Drt/P24OxiDrHfpqRAxyPclAQJbSgNwmBk9iQK9Tpb+ACLDr3yOU
XBcbnBr1QKT2kOFogdB8bx+Qz/uhR9wAJ0f37nJ+iI3Y6pzeKzMDEHl/je9/Pa+X
iHjUPuKYHU/A+X+2mN3nBmuXJerijn/MBKjgxW3L4DCNOr5NUC1UQ2WULE9WIds1
DS6CvpaVsZXSA5Q094HFvo0M2AoyfePpQuVuGgPZ3tens//In3pr3xkKPT316HW4
eKNH7I9L6Xc604a64TzFmSQnWui7ZlOwFy/0aR8p2mZCBYEKqMkV1OvFx78EE0pw
QpZMRuoz3EcnwNfIhKYpzVzCf1UOKw7srdIfuxnLO6dAPQhMnios26mU7BnxxlLR
4UiZQWeDMZVBqwd+NJnL1NupgAs/4H1mQ+vKIn/obpYnTxGb8q1+x61eyk1Ueh/O
JFBj4gfMnO7v/zA0wtlDK/otE9j/XxWHTw9gKH7BAr3wdbJFPoYnng2CMRFjBva3
Kq4j/ml0BclQDxmk4/3PVc19rO56h0EgMKccArJSVANjMrj3YDmKlTcS2YcaJIVa
zFC5SNEvmY0EdRR6f2gX
=RzaD
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.